Posted
by
timothyon Sunday November 18, 2012 @03:19PM
from the shhh-this-is-the-conspiracy-room dept.

Freddybear writes "If your computer has been cracked and subverted for use by a botnet or other remote-access attack, is it legal for you to hack back into the system from which the attack originated? Over the last couple of years three legal scholars and bloggers have debated the question on The Volokh Conspiracy weblog. The linked webpage collects that debate into a coherent document. 'The debaters are:

Stewart Baker, a former official at the National Security Agency and the Department of Homeland Security, a partner at Steptoe & Johnson with a large cybersecurity practice. Stewart Baker makes the policy case for counterhacking and challenges the traditional view of what remedies are authorized by the language of the CFAA.

Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington School of Law, a former computer crimes prosecutor, and one of the most respected computer crime scholars. Orin Kerr defends the traditional view of the Act against both Stewart Baker and Eugene Volokh.

Eugene Volokh, Gary T. Schwartz Professor of Law at UCLA School of Law, founder of the Volokh Conspiracy, and a sophisticated technology lawyer, presents a challenge grounded in common law understandings of trespass and tort.'"

This concern is one of the fundamental issues to consider in discussing philosophy of "violence". Another is what degree of force is appropriate.

Thinking on these things and recognizing that people make mistakes in both action and perception, and that people often have a tendency to perceive malice from others, it seems that there's a positive bias for violence. That is, "violence begets violence".

10 times out of 10, if you hack into the system where the attack is coming from, you will be hacking into a system owned by an innocent third party that was also hacked. You are then violating that party a second time. Lets take a more concerning scenario: You discover an attack that is originating from a competitor. You hack back into their system. This situation can only end badly. First, if they were responsible you have now spoiled evidence. Second, if they are not responsible and were also hacked as a jumping off point, you now have hacked into a competitor's system and compromised them. You should now have to pay damages because they have not way to tell that you didn't steal their corporate secrets while you were there in their system.

At least some of the argument in TFA assumes that the botnet's toolkit has itself been cracked and exploits are available making it possible to turn the tables on the botnet controllers. That may be a rather large assumption, even just for the sake of the argument.

Not easily. The commercial botnets typically use a command-and-control structure with various proxies or zombied hosts in between the attacker and the victim. Tracing or cracking one's way back through the botnet can often cause more damange to the intermediate hosts than the botnet is causing.

Not easily. The commercial botnets typically use a command-and-control structure with various proxies or zombied hosts in between the attacker and the victim. Tracing or cracking one's way back through the botnet can often cause more damange to the intermediate hosts than the botnet is causing.

BS. What "damage" will it cause?

Chances are it's just another victim's computer. Since they're being used as a node, it would only be common sense for their to be a script that forcibly removes it from the internet so that you can't follow it to the next level. So by gaining access, you might trigger something that bricks another victim's computer. Why this is done? So that you can't get the IP that is controlling the node, and so that you can't appropriate the other computers that are being controlled by the node.

If someone brought one of my machines down with a message "This machine was used in an attack on my network because it is part of X botnet." I would be angry. Angry that i was in a botnet, not that someone sought to fix it. Though that is just me : )

I've only been rooted once (that i've been able to discover). Around 2003 i installed a redhat box from disc (big mistake) and left it unpatched for a few days. Went in to patch it and found a shitstorm of garbage installed on it. Traced it back to an ssh

This isn't really self defense; your actions didn't PREVENT harm from ocurring to you, this was rather vendetta: he did X to me, I did it back.I don't think this should be legal, because it could escalate into cyber-wars. Much like you can't steal something that was stolen from you in the first place - you can't take justice into your own hands.

If the retaliation occurs after the fact, this is correct; however, if the retaliation occurs while the instigating attack is ongoing, you are preventing [further] harm by putting an end to the offending party's ability to attack. That's textbook self defense [which does allow for use of nonlethal force and destruction of the means used to carry out the attack in cases where one is defending their property].

In retrospect, I realize the above reply might not make my point effectively. Let's roleplay:

I'm hacking Slashdot's servers right now. I'm doing so by exploiting the HTTPd they are using. Let's just have them close port 80 to stop me, right? If that was the correct and reasonable response, I could take out half the internet in a day.

Depends. If they are DDOS'ing your connection by shear volume of traffic merely closing the port will do nothing. That data is still going to come down your pipe and choke you connection, even if your firewall drops the packets.

You also have to consider that closing the port might be expensive for you. What if it is running some vital service your company needs, like email?

The problem here is that self defense is legal in context of preventing harm to yourself - typically this means your body. You're not allowed to attack somebody for busting up your car with a hammer, for example.

Except for their lagging behind, as far as I'm concerned any retaliatory measures should be done by the police, or if the attack originates in a country that doesn't cooperate with your police, the military.

IE You're in the USA:hack comes from within the USA - FBI, ie federal police. If if comes from next door, local policeHack comes from, say, Australia - The FBI contacts their counterparts there and the investigation continuesFrom a country without formal legal agreements - Interpol assistsFrom a hostile country, such as North Korea? Military, maybe.

That is not true. You are allowed to use degrees of non-lethal force (such as a fist) to defend your property.

From the Wikipedia article on self-defense:"The ownership and possession of property confer a certain right to defend that possession, [including] a defense of it which results in an assault and battery, and that which results in the destruction of the means used to invade and interfere with that possession."[4]People v. Kane, 131 N.Y. 111 (142 N.Y. 366, 37 N.E. 104)

I think someone's reading comprehension is shot to hell. My situation play STARTED: Someone is in my home uninvited, they are trespassers intent to do harm to those who are authorised to be in my home.

In Texas, if someone is letting the air out of your tires (at night), you may shoot them in the back (some restrictions may apply).

Also, most places (not just Texas) allow for a reasonable response. You are allowed to raise your arms to attempt to deflect an incoming blow, even if that block causes the attacker harm. The attacking the body analogy you used is inappropriate, as you noted they aren't attacking your body, but you aren't attacking their body back. A better analogy is that if someone is smas

You misunderstood me. Murderface proposed using self-defense clauses to excuse the counter-hacking. I disagreed - you're only allowed to commit harm, legally, in self defense. This doesn't qualify as self defense, because there's no bodily harm involved.

Thus raising your arms to deflect a blow, or even raising a metallic object to help block at the cost of your attacker's hand is perfectly legal - because blocking the blow is blocking injury, and you're allowed to use force in that case anyways - you'd b

I don't think murderface was implying that the self defense literally, but the spirit of the law. If you "attack me", then, under the "self defense" doctrine, I'm allowed to respond with corresponding force to halt the attack. If you are attacking my property, then I should be able to respond with corresponding force to halt the attack.

It makes sense to me, but the law has little comprehension of an attack on property, as usually people don't damage things for fun.

So if Anonymous hacks Iranian servers that would justify Iran sending a few missiles our way? Or if a random Israeli hacker hits some Iranian sites that makes their country a valid target too?

Believe it or not, but Iranian police DO cooperate to some extent with US and European police. There's a reason I stuck a 'maybe' on military action at that point and listed North Korea. It's also a diplomatic issue now that I've been away from it for a bit. Basically, the military is the only force

Hacking is rarely done at state level, so military force is extreme and almost certainly unlawful.

Did you know that the DoD is now has cyberwarfare divisions? I wasn't necessarily suggesting a missile strike, that was all on you. The point I was trying to make is that you work with the police whenever po

'Except for their lagging behind'. I'm aware of the difficulties. I just think that we need to solve that rather than go vigilante. Legalize drugs, retrain/retire & replace the vice departments and put them to work fighting identity theft, botnets, computer hacking, and such.

Just change it to this""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

Doesn't help; that's not a simple question either. The answer is sometimes and in some places yes, other times and in other places no.

Personally I'm all for self-help because the courts are useless for actual redress of small grievances; by the time you've gotten through the process, you'll have cost yourself more than letting the issue pass, and likely have lost anywa

A question of legality depends heavily on the location, time, and far more other circumstances... let's reduce it to morality, instead.

On the one hand, you have "an eye for an eye", where it's allowed to return in kind any grievance, such as a hack's damage to one's reputation and possible loss of control over one's identity. On the other hand, you have "two wrongs don't make a right", where it's best to let society's authorities deal appropriate punishments to serve justice, and everyone leaves unhappy, bu

As with most ideas in the Bible, the original concept goes much farther back. The specific "eye for an eye" law dates to as early as 1700 BCE [wikipedia.org], and the philosophy of reciprocal justice is likely older still.

Of course, the Bible contradicts itself as well, and in other places says that absolute restraint is the preferred resolution of conflict (turning the other cheek, giving one's robe, and other such verses). This notion also dates even further back, as early as ancient Egypt's concept of the goddess Ma'at,

A house is just property, a computer can be a proxy of one's self and actually do actions on your behalf. It's more like a person attacking you and fighting back at that person that someone breaking into your house then you breaking into their house.

""If your house has been robbed, is it legal for you to break into the other persons house and steal your stuff back?"

As long as you do not cause damage, it is probably not a criminal offence under English law; it is more likely to amount to trespass, which is a tort. If the thief wishes to sue you, he/she is welcome, and I doubt a court would look favourably on it.

"If you detect someone robbing your home, is it legal for you to follow them back to where they came from and place a bad-luck curse on it that residence/business that causes all kinds of things there to go wrong?"

If someone is breaking into your house and you see their car parked outside, and it's otherwise illegal to place a GPS transmitter on someone else's car, can you place a GPS transmitter on their car to help determine their identity and contact information so you can help enforcement against them?

No, the analogy is good, you're reading it too literally. The question is not whether hacking equals robbing, but whether being wronged gives you authority to retaliate in the same way against the other party, regardless of the actual way you've been wronged. This is something that most legal systems in the world usually explicitly disallow: if an act is against the law when done against you, it is still against the law if you do it in retaliation against the offending party.

Control is taken, and usually cannot be recovered. Control over one's identity is extremely valuable, as maintaining that control allows one to also maintain control over one's finances and reputation, and in turn that affects one's control over the record of their history, which can heavily influence later abilities.

Control is taken, and usually cannot be recovered. Control over one's identity is extremely valuable, as maintaining that control allows one to also maintain control over one's finances and reputation, and in turn that affects one's control over the record of their history, which can heavily influence later abilities.

Clearly.

But counter attacks do nothing toward maintaining said control.Once your dark dirty secrets are out in the open, all the attacks in the world won't put the Genie back in the bottle.

*Even in the case where something is taken, it's just copied, not removed from your possession. You can't break in and 'get your stuff back' because it was never taken away. And you also can't break in and erase it because it's been copied since.

There are documents/data items where mere possession constitutes a huge advantage for the attacker.Not everyone is out to steal your porn collection.(Trade secrets, bank accounts, computer code, hidden treasure maps, what ever).

In such cases the counter attack is not designed to "take back", but rather identify the attacker such that you cantake steps to prevent the use/sale of such information.

Like unringing a bell, failure to do this very quickly pretty much obviates the need to do it at all. Once your t

That's not reasonable force when the alternative is to block the act through some other non-aggressive means. And as the AC poster above suggests, you don't know you are retaliating against the correct target.

The legal arguments are interesting. It's amusing to see lawyers struggle with reasoning through analogy. They're trying to hammer property law, trespass law and assault law into covering this, and it's not working.

In almost all modern online attacks, the immediate source of the the attack is a machine owned by an innocent third party. While this is common online, it is a rare situation in the physical world. It can come up in auto repossessions where the repossession was not legally authorized, the repossession agent reasonably believed that it was, and the vehicle owner resisted. Most states have specific laws in that area, and repossession agents are limited in what they can do. [westcoastbk.com]

If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back? If you see them driving it away in a tow truck, do you have the right to shoot out the tires of the tow truck if you can do so without causing losses to third parties? Do you have the right to shoot the driver of the tow truck? If the car thief is driving your car away, do you have the right to shoot out the tires if it won't damage third parties? Do you have the right to shoot the d

If someone steals your car and drive it to land they own, do you have the right to trespass onto it to get your car back?

Perhaps a fussy point but, if you have a right to be on the land, you cannot be trespassing. Even if you did trespass on the land, what is the likelihood of a court finding that you were trespassing and, even if it did, what would the likely measure of damages be?

ok. If you force a gate to recover your illegally taken vehicle, you could be done for trespass, which would be mitigated by your intent to recover "your" property. I used quotes because you don't actually own that vehicle, the DVLA does (in the UK). When you register that vehicle, you get a form back (registration document) describing the vehicle, and describing you as the "RESIGTERED KEEPER". You do not own the vehicle, you just signed over title and ownership to a corporation; you are responsible for mak

Even if you force the gate, it is not trespass. They invited you onto their property by acquiring and stowing your property on it without your permission. In order to recover your property, you obviously have to gain entry to that property.

Well, I wasn't speaking from a legal perspective. From a legal perspective of course it is trespass because you are a normal law abiding citizen and they would much rather arrest you for a crime than the possibly armed bad guy who stole your stuff. But from a moral perspective, it is definitely justified to thwart whatever barriers they have put up between you and your property.

Of course it isn't. The only time something that's normally a crime isn't is when violence is self-defense. Absolutely nothing else in our system of law has a "he started it" defense. Leaving aside that no judge is going to accept that hacking is violence without legislative action that will never happen, the normal standards of self-defense could still never apply. Given that you can't know you've been hacked until after it's done, it would instead be retaliatory, which is naughty.

Some people above are debating whether stealing stolen stuff is a crime. The answer is: it's not stealing. That is still your stuff. If somebody grabs your shit right off your person, that's also assault, so you're free to tackle them to get it back. If they steal it off a table or something, you might have more of a problem; you're still not stealing, but depending on where you live and whether the prosecutor's got a bug up his ass, using force to retrieve your stuff might get you in trouble. Same for carjacking your stolen car, and if you don't somehow do it the same time it happens to you, I imagine using a gun like that would at least get you arrested anywhere, in court anywhere but Texas, and convicted anywhere north of the Mason-Dixon line.

The larger point here: hacking is not exactly the same as assault, theft, or trespass, and applying the same logic to it is something almost any good judge would refuse to do for fear of unintended consequences. For instance: since you don't know who's hacking you until you've checked them out, if you counter-hack them, you might wind up hacking the police. That's kind of a good thing from a civil rights standpoint, as it means they are on the same level as us, bound by the same natural consequences of their actions, but hacking the police would only be legal in a goddamn utopia. Furthermore, counter-hacking might theoretically lead you to the wrong person if you're not as skilled as your attacker. While this is not the reason trespass is illegal, one can easily imagine trying to steal your stuff back and getting the wrong house, and that's when you're looking for a physical location which you know is associated with a specific person. With counter-hacking, you're looking for a computer somewhere which may or may not belong to your attacker which may or may not have PID stored that is legitimately associated with said bastard.

So, the whole argument boils down to this: hacking is hacking. It is not other activities, and cannot be usefully treated as similar to other crimes. The closest other thing is wiretapping, and nobody asks if it's okay to do that in a retaliatory fashion. Because of historical computer culture stuff, it might be argued that hacking shouldn't always be illegal, but currently it is, so that is the very obvious answer to the original question of this article. They should've been asking "should counter-hacking be legal," and because of the potential for harm to uninvolved third parties, I am kind of surprised to find myself saying that it should definitely not be. Counter-hacking should never happen without a warrant, and evidence gathered by it needs to be scrutinized very closely to make sure the right guy is caught.

Your ability to not-read what I wrote and still read a whole bunch of extra words into it is a truly astonishing talent. I can tell that you didn't really read it due to one simple error: when I talked about self-defense, you failed to notice that I said nothing else has a "he started it" defense. With the exception of "fighting words," which is a very weak defense where it exists, and defense of property, which is explicitly not a defense in more backward locales, everything you mentioned in your tirade wa

Assault is (basically) when I do something that would cause a reasonable person to fear for their safety of body, and posess the means to carry through with it. Basically -- it's when I draw my fist back threatening to punch you, but not the actual punch itself -- although if I do punch you, you almost certainly reasonably fear for your safety.

Wrong. Common assault is the unwanted contact of any part of one person's body with any part of another person's body no matter how violent or incidental. Offences Against The Person Act 1861 and section 39 of the Criminal Justice Act 1988. I could swat a bit of dandruff off your shoulder or tap your elbow to get your attention. If you're having a bad day you could press charges for common assault and they would STICK. The second an incident of contact causes bruising or swelling or draws blood, then it's a

"If someone breaks into my computer system, is it legal for me to break into his?". OK, rephrase it: "If someone breaks into my house, it is legal for me to break into his?". Answer the second, you've answered the first.

The fuzzy issue is that his break-in into your house was burglary, but your break-in is not. Why not? Because part of the definition is that you must be doing something otherwise illegal, or else it's just simple trespass. And simple trespass isn't so simple if you remove the breaking-in component to clarify the situation.

If you followed the burglar home and he placed all your stolen items in his back yard, behind an unlocked gate with a "no trespassing" sign on it, is it illegal for you to enter the ya

if you have to move the gate to gain entry then it's trespass. If you are trespassing to recover your own property then it's still only trespass. The only burden on you is to prove a: that the gate was ajar if you are going the whole hog, and/or b: that the stolen property is yours. If you can do b to the criminal standard (produce receipts, photographs and/or insurance documents), then chances are that the trespass charge against you would be dropped anyway.

The one in the middle with no clue on security will be used by the bad ones and destroyed by the good ones? Odds are high that you will hit an innocent (or at least, clueless) bystander. From his point of view, both sides are evil ones.

In the other hand, **AA may not hack, but instead sue those people serving as proxy, maybe attacking them will prevent far bigger economical damages if they get sued (and that, without going to the "intelligence" agencies that could attribute to such proxies as originators

Back when highspeed internet wasn't as ubiquitous as it is today, I remember a friend on IRC who owned a computer shop telling me some stories of counter hacking. I have no idea how legit the following story is since I wasn't actually there for any of it, and I'm fuzzy on a lot of the details since it was related to me nearly 10 years ago. Despite all that, I think it has some relevance in that it's an easy target to pick specifics from and discuss them, rather than having to rely on sketchy car analogies

Depends on the circumstances (and jurisdiction). The 'proven murderer' isn't the key*. What is important is whether you reasonably felt your life or property (or those of a bystander) to be in immediate jeopardy. If so, open fire, or take whatever measures are necessary to stop the threat. It tends to work out fine in most places in the USA.

*You can't reasonably be expected to know an attacker's state of mind or criminal history.

Is it legal for you to steal your stuff back from a robber?
Can you carjack a carjacker if (s)he is driving your car?
Same applies here

Doesn't this concept validate everything the *IAA does in attempting to control use of their "IP"?If MY 0's and 1's are steal-able stuff then THEIR 0's and 1's are the same...Not real wild about that idea.

If MY 0's and 1's are steal-able stuff then THEIR 0's and 1's are the same...

The difference, to my mind, is that theft applies to property (at least, it does under English law), and I'd argue [slashdot.org] that a 0s and 1s are not capable of being property. Their order may be capable of protection, as copyright, but, in this case, it is the copyright which is owned, not the underlying sequence of bits.

I would tend to agree with you about the theft issue. But it still leaves the whole "ownership of information" in the murk. If I had the right to pursue someone digitally back to the system used to copy "my" data (i.e. "my IP") and then possibly take action against what I deem to be the offending system, what kind of power would that convey to any commercial rights holder seeking the source of, say, shared files? To my mind, the concept of justified retaliatory action is not even a slippery slope, it's a c

I am not aware of a crime of "breaking and entering" under English law — it's possible that there is one which I have not come across, of course.

The nearest I know is the crime of burglary [legislation.gov.uk] — which is, in effect, trespass plus theft (or a number of other crimes, including rape and criminal damage, depending on whether the relevant intention is there). However, if the only act upon entering the premises is the removal of one's own property, the second part is not made out, so it remains just tr

breaking and entering v., n. entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime (of any description beyond the actual entry), this is burglary. If there is no such intent, the breaking and entering alone is common trespass.

I stopped a police officer cold on this. Told him he had three seconds to get the fuck out of my kitchen (I had just come in from work and found him there talking to

If there is intent to commit a crime (of any description beyond the actual entry), this is burglary

This isn't the case under English law — the crime must be one from a set list, which varies according to when the necessary intention was formed, for it to be burglary. (It looks like the example I use above of rape is incorrect too.) We agree, it seems, that, without this element, it's just a matter of trespass.

From a legal perspective, no it is not legal to steal your stuff back from a robber. If you can prove it is yours, then you can get the police to force them to give it back, but if you know it is yours and don't have proof, then you can be arrested for stealing it back, and since you are a normally law abiding citizen, and the person you stole from is a dangerous robber, the police would rather arrest you because you are not actually dangerous.
A guy a know had a bike stolen when he was a kid. He had the se

You may not have noticed this (yet) but nerds are not above the law. "Can I do this?" is obviously the first question a nerd should ask in a situation like this. "Will I go to prison for doing this?" should be a close second.

"...No ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter." -- Nathaniel Borenstein

So if I was checking my Email, and found this phishing email in it specifically asking me to send information like name, address, social security number ect to them; would it be wrong of me to write a program that sends them a tetrabytes of names, addresses, social secrurity numbers, credit card numbers, all sliced and diced into uselessness?

So if I was checking my Email, and found this phishing email in it specifically asking me to send information like name, address, social security number ect to them; would it be wrong of me to write a program that sends them a tetrabytes of names, addresses, social secrurity numbers, credit card numbers, all sliced and diced into uselessness?

A good random number generator might be indistinguishable from one that does just that.